Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Federations on the rise

Harold Teunissen
Harold Teunissen

Readout and update on Identity Management effort from Europe for the MAGIC team at SuperComputing2014 in New Orleans.

1 of 15
Download to read offline
Federations on the rise… © WALLNOY Licia Florio (GÉANT) & Harold Teunissen (SURFnet) MAGIC Workshop SC14 New Orleans, November 2014
Serving Dutch research & education MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 2
SURF as umbrella • All ICT activities for Higher Education and Research in the Netherlands are under the SURF umbrella MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 3 Scientific Computing & Big Data Commercial ICT Products & Services National Research & Education Network eScience Collaboration and Tools
Where are these Id. Federations? Source: REFEFDS map pilot production MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 4
Federation essentials • We need a working inter-federation framework • Collaboration does not have boundaries MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 5
Federations work but… CHALLENGES STILL AHEAD MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 6 ATTRIBUTE AGGREGATION CREDENTIAL TRANSLATION LEVELS OF ASSURANCE BRIDGING COMMUNITIES USER FRIENDLINESS ATTRIBUTE RELEASE HOMELESS USERS NON-WEB-BROWSER
Developments in EU and beyond • EU work on two tiers: - National basis, led by the NRENs - EU scale as part of the GEANT project, mostly the identity and Trust research work and services • Global scale: - REFEDS MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 7
GEANT InAcademia • To create a simple service to validate the affiliation of a user (i.e. is this a student?) • Use-cases for this: - Web shops discounts - “Free” access to some cloud services (i.e. Office 365, Apple, etc) - Validate affiliation on relevant social platforms • Pilot service expected by end of 2014, early 2015 MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 8
InAcademia Rationale eduPersonAffiliationattribute • The attribute within a federated login can be used to validate membership of the academic community, however: - Joining a federation is a problem (policies and contracts) - Implementing SAML and doing federation is though - Inter-federation is even harder - Up front cost, but no customers • So, a lot of work, while the service only needs the Affiliation — pretty low risk in the privacy spectrum MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 9
InAcademia — Workflow • Service gets attributes directly from user (self asserted or social) • Service queries a single “centralised” service — InAcademia Simple Validation Service to confirm affiliation • A well understood protocol can be used to query InAcademia • Policy barrier for using InAcademia is low • The user “proves” his affiliation at InAcademia which is under control of the existing federations and NRENs • InAcademia is connected to eduGAIN • Authentication at home Identity Provider delivers requested affiliation • InAcademia interprets the affiliation and answers the requesting service, but never directly delivers attribute values! • User gets discount and service pays a small transaction fee MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 10
InAcademia - Benefits • For Identity Providers - SAML based, connected via eduGAIN - Two profiles that have minimal ‘low risk’ attribute requirements - No personal data stored at central service - One connection with many services that are of high value to users, but low effort for IdPs • For Services - OpenID Connect interface towards service, no SAML required - No need to deal with (inter) federation - Simplified policy, compatible with eduGAIN CoCo - Little upfront cost, only pay small amount when transaction is made - One connection with many trusted Identity Providers MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 11
REFEDS • REFEDS = Research and Education FEDERATIONS - To that articulates the mutual needs of research and education identity federations worldwide - To offer best practices for R&E federations to ease inter-federation - Supported by GEANT Association (formerly Terena) - Open to anybody with an interest in using federated credentials MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 12 https://refeds.org
REFEDS — Entity Categories • Aim: to group federation entities that share common criteria - To ease the attribute release problems - IdPs would release the same set of attributes to all SPs that are in a category instead than negotiating with each of them individually • Two categories approved: - Hide from Discovery - Research and Scholarship MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 13 https://wiki.refeds.org/display/ENT/Entity-Categories+Home
REFEDS — SIRTFI • A Security Incident Response Trust Framework for Federated Identity — SIR-T-FI • To define a process for expressing security incident handling requirements as an assurance profile for federations. • Not strictly a REFEDS work, yet… • A lot of interest in this area MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 14 https://wiki.refeds.org/display/GROUPS/SIRTFI
harold.teunissen@surfnet.nl haroldteunissen

More Related Content

Federations on the rise

  • 1. Federations on the rise… © WALLNOY Licia Florio (GÉANT) & Harold Teunissen (SURFnet) MAGIC Workshop SC14 New Orleans, November 2014
  • 2. Serving Dutch research & education MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 2
  • 3. SURF as umbrella • All ICT activities for Higher Education and Research in the Netherlands are under the SURF umbrella MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 3 Scientific Computing & Big Data Commercial ICT Products & Services National Research & Education Network eScience Collaboration and Tools
  • 4. Where are these Id. Federations? Source: REFEFDS map pilot production MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 4
  • 5. Federation essentials • We need a working inter-federation framework • Collaboration does not have boundaries MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 5
  • 6. Federations work but… CHALLENGES STILL AHEAD MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 6 ATTRIBUTE AGGREGATION CREDENTIAL TRANSLATION LEVELS OF ASSURANCE BRIDGING COMMUNITIES USER FRIENDLINESS ATTRIBUTE RELEASE HOMELESS USERS NON-WEB-BROWSER
  • 7. Developments in EU and beyond • EU work on two tiers: - National basis, led by the NRENs - EU scale as part of the GEANT project, mostly the identity and Trust research work and services • Global scale: - REFEDS MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 7
  • 8. GEANT InAcademia • To create a simple service to validate the affiliation of a user (i.e. is this a student?) • Use-cases for this: - Web shops discounts - “Free” access to some cloud services (i.e. Office 365, Apple, etc) - Validate affiliation on relevant social platforms • Pilot service expected by end of 2014, early 2015 MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 8
  • 9. InAcademia Rationale eduPersonAffiliationattribute • The attribute within a federated login can be used to validate membership of the academic community, however: - Joining a federation is a problem (policies and contracts) - Implementing SAML and doing federation is though - Inter-federation is even harder - Up front cost, but no customers • So, a lot of work, while the service only needs the Affiliation — pretty low risk in the privacy spectrum MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 9
  • 10. InAcademia — Workflow • Service gets attributes directly from user (self asserted or social) • Service queries a single “centralised” service — InAcademia Simple Validation Service to confirm affiliation • A well understood protocol can be used to query InAcademia • Policy barrier for using InAcademia is low • The user “proves” his affiliation at InAcademia which is under control of the existing federations and NRENs • InAcademia is connected to eduGAIN • Authentication at home Identity Provider delivers requested affiliation • InAcademia interprets the affiliation and answers the requesting service, but never directly delivers attribute values! • User gets discount and service pays a small transaction fee MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 10
  • 11. InAcademia - Benefits • For Identity Providers - SAML based, connected via eduGAIN - Two profiles that have minimal ‘low risk’ attribute requirements - No personal data stored at central service - One connection with many services that are of high value to users, but low effort for IdPs • For Services - OpenID Connect interface towards service, no SAML required - No need to deal with (inter) federation - Simplified policy, compatible with eduGAIN CoCo - Little upfront cost, only pay small amount when transaction is made - One connection with many trusted Identity Providers MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 11
  • 12. REFEDS • REFEDS = Research and Education FEDERATIONS - To that articulates the mutual needs of research and education identity federations worldwide - To offer best practices for R&E federations to ease inter-federation - Supported by GEANT Association (formerly Terena) - Open to anybody with an interest in using federated credentials MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 12 https://refeds.org
  • 13. REFEDS — Entity Categories • Aim: to group federation entities that share common criteria - To ease the attribute release problems - IdPs would release the same set of attributes to all SPs that are in a category instead than negotiating with each of them individually • Two categories approved: - Hide from Discovery - Research and Scholarship MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 13 https://wiki.refeds.org/display/ENT/Entity-Categories+Home
  • 14. REFEDS — SIRTFI • A Security Incident Response Trust Framework for Federated Identity — SIR-T-FI • To define a process for expressing security incident handling requirements as an assurance profile for federations. • Not strictly a REFEDS work, yet… • A lot of interest in this area MAGIC WORKSHOP — SC14 — New Orleans, LA, November 2014 14 https://wiki.refeds.org/display/GROUPS/SIRTFI